Image Legal and Compliance Questions

The answers to the most frequently asked questions are shown below. If you have a question that isn't answered here or would like any more in-depth information, please contact us.

What is the difference between an electronic signature and a digital signature?

"Electronic signature" is a generic, technology-neutral term that refers to the universe of all of the various methods by which one can "sign" an electronic record. Although all electronic signatures are represented digitally (i.e., as a series of ones and zeroes), they can take many forms and can be created by many different technologies. Examples of electronic signatures include: a name typed at the end of an e-mail message by the sender; a digitized image of a handwritten signature that is attached to an electronic document (sometimes created via a biometrics-based technology called signature dynamics); a secret code or PIN to identify the sender to the recipient; a code or "handle" that the sender of a message uses to identify himself; a unique biometrics-based identifier; and a digital signature (created through the use of public key cryptography).

What is a biometric handwritten signature?

A captured handwritten signature looks identical to a person’s original, wet-ink signature. But, should one use the xyzmo digital signature suite, it is much more than merely an electronic image. SIGNificant records the handwritten signature of a person by parameters of pressure, acceleration, speed, and rhythm. These parameters are unique to every individual and cannot be easily reproduced by a forger. Once a signature, including all the biometric parameters, has been embedded into a document, it is turned into a signed and sealed PDF. Anyone can verify the signature and content integrity anywhere and at any time. Thus, unrecognized, post-signing manipulations are impossible. 

ISO/IEC 19794-7:2007 standard for biometric signature exchange

All captured biometric signatures can be exported according to the ISO/IEC 19794-7:2007 standard for biometric signature exchange, providing full vendor independence of the signed documents.

Can documents signed by SIGNificant be viewed and verified by users who don't have SIGNificant installed?

SIGNificant is based on the open ISO PDF standards and true digital signatures, with no proprietary e-signature technology. All signatures and their cryptographic information are embedded into the signed PDF. You don't need to be a xyzmo customer or return to our website, just to check the validity of documents. Any proper PDF reader will do the job.

Why do digital signatures and annotations not appear in some PDF viewers?

Unfortunately, some PDF-viewers, for example, for the iPad (including the default reader that comes with the iPad), do not yet fully support PDF standard annotations and digital signatures. Such applications often simply ignore the annotation "layer" of standard PDF documents. In order to be able to view PDF annotations and digital signatures in such applications, these elements must be "flattened" into the normal content layer. There are some solutions that "ignore" this issue and actually modify the normal content layer "hard-code". They simply embed a graphical representation of annotations and signatures into the normal content layer. While this approach has a certain advantage (no problem with those PDF viewers), the main disadvantage of it is that it alters the original PDF content in an irreversible manner. You won't be able to delete or modify this imitation of an annotation later and you will lose all the biometrical information in the signature. All that remains is a graphical representation. This is not how we prefer to treat your PDF documents. Our signatures and annotations comply with ISO PDF Specification, meaning that annotations can be removed or modified later by PDF processing programs, and all signatures contain all the biometric informations. Having said that, in some of our apps, we still provide you with the possibility of flattening the PDFs, if you wish.

Can a captured signature from a signature pad be forged?

SIGNificant records the handwritten signature of a person by parameters of pressure, acceleration, speed, and rhythm. These parameters are unique to every individual and cannot be easily reproduced by a forger. A forged signature is usually created by either tracing an existing signature or simply trying to re-create the signature by memory. Either way, a forged signature is either "accurate and slow or fast but inaccurate". SIGNificant is able to record the time that it takes someone to write their signature, which means that a side-by-side comparison of a legitimage signature and a forgery will be quick and simple because typically the signature will either appear visually correct but have a slower time-stamp or the time stamp will be correct but the signature will be completely visually inaccurate. Of course, the speed at which someone generates a signature is not the only characteristic considered when analyzing possible forgeries. Some other items include the size, connecting strokes, and proportions of the original signature. All of these parameters are recorded by SIGNificant and are retrievable for a forensic examiner using a tool called PenAnalyst, which is provided if the need ever arises.

How can I be sure that my signature is not transferred to an unauthorized document?

The document contains a captured signature that has been encrypted (RSA 4096 + AES256). A person’s signature is encrypted immediately as it is captured by the signature pad, using the private key of a special certificate. This special certificate is selected by the company using the xyzmo suite, and is typically stored in a secure environment outside the company (bank safe, external notary, etc.). Thus, xyzmo has no access to this certificate. For the encryption of signatures, the xyzmo suite just needs the public key of the certificate. It is only for decryption, and the extraction of signatures from a document, that the private key is required. Only specific people, to whom the company has granted access to this certificate, will be able to decrypt the profile using the PenAnalyst tool, which is provided as part of the suite. This tool was developed in consultation with forensic experts, and is useful in legal disputes for proving who signed a particular document. Furthermore, each captured signature is bound to a specific document (“document binding”). We generate a unique “fingerprint” for each document and store it together with the captured signature. Thus, it is easily possible to prove within PenAnalyst that a certain signature belongs to a particular document.

What if my signature transmission is traced and re-sent later?

With a great deal of criminal energy, technical, in-depth knowledge about the special customer installation and, the signature pad used, and unsupervised access to the computer, it is theoretically possible to carry out this action. Compared to the ease of faking signatures on paper, this represents a really big effort. End-to-end security is only possible with the right signature pad in place. The processor of the SIGNificant ColorPad, for example, contains the public key of a second key pair (RSA 2048-bit). By means of this key, the biometric data is encrypted in the pad itself. This ensures that highly sensitive information can never be viewed in decrypted format in the unsafe “computer” environment (e.g. main memory). The private key of this second key pair is safely deposited by a notary public or in a safe deposit of your choice. With this setup, full end-to-end security is possible.

How is the signer protected from signing a document he is not shown?

It is possible for the original document that is intended to be signed to be replaced by another one, which is typically done by a “man-in-the-middle” attack. If deployed on a distributed server architecture, SIGNificant uses SSL encryption for all network communication throughout the entire signing process. In this way the data can neither be sniffed nor manipulated by attackers. It is also crucial to allow the signer to read the actual document that is to be signed. Obviously it is better to enable this directly on the signing device itself, instead of relying on an external screen. SIGNificant enables this, as described above.

How does SIGNificant comply with electronic and digital signature rules and regulations?

SIGNificant is designed for global compliance with key components of:

  • the European Directive 1999/93 EC on a Community Framework for Electronic Signatures, including the UK Electronic Communication Act, 
  • the U.S. ESIGN Act
  • US state laws modeled after 1999 UETA
  • Rules from the FDA, FTC FHA, IRS, and FINRA, among many others
  • German BIPRO Norm (xyzmo is even a BIPRO member)

The SIGNificant electronic signature complies with the prevalent EU legislation and regulations, for both an "electronic signature" and an "advanced electronic signature." The law discusses the terms regarding an advanced electronic signature:

  • (a) which is uniquely linked to the signatory
  • (b) which is capable of identifying the signatory
  • (c) which is created using means that the signatory can maintain under his sole control, and
  • (d) which is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.

Do I need consent from the signer to sign documents electronically?

Between businesses, the nature of the parties’ consent to do business electronically can be established explicitly or by implication based on the parties’ interactions. However, consumers receive special protection under EU law, ESIGN and some state UETA enactments. Electronic documents may be used only if the consumer:

  • receives certain disclosures (e.g. UETA Consumer Consent Disclosures) has affirmatively consented to use electronic signatures for the transaction and has not withdrawn such consent

Will you go to court with us?

While xyzmo has a successful history of providing customers with all the evidence they need to defend their documents against repudiation, xyzmo is available to assist you with legal challenges by testifying in court on the validity of xyzmo documents.

Do you support third party certificates and smart-cards?

Yes, in fact, we even have dedicated products especially for this reason. You can e-sign based on digital certificates (smart card, USB token, software certificate, HSM).

Learn More

What if the quality of the captured signature data is not good enough for forensic analysis?

Generally, the quality of the data from signature capturing devices is very good. Nevertheless, signature capturing devices can also be used within thin client environments, such as Citrix, RDP, or VMWare. 

In that case, you require a local software component running on the thin client device that receives the data packets from the USB signature pad; otherwise you will lose some of the biometrical data packets due to latency issues. The reason is that signature pads send the data they record with file-and-forget, which is not an issue if the receiving software runs locally. However, in a thin client environment, the buffer that stores the received biometrical data packets may not be read in-time, because access from the receiving software is delayed by the network’s latency. Thus, a simple pass-through that uses USB redirection does not work for signature tablets. Therefore SIGNificant provides a local software component that runs directly on the thin client in the background to read the data packets from the data buffer without any delay, as required for a flawless operation.

How can I make sure that the encryption of a signature embedded in a document is not compromised by brute force attacks?

Theoretically there is a chance that AES/RSA encryption could be hacked using a brute force approach, once the required processing power becomes available. Consequently, the signature data embedded in a document could be decrypted and misused with intent to defraud. In an online scenario, where the SIGNificant Server is used, the original documents are always kept securely on the server. Every document the user views on the client computer is only an image of the original PDF document, and thus it cannot be manipulated fraudulently. Moreover, it is possible to provide the signer only a digitally signed copy (flattened version) of the original PDF file, which only contains the graphical representation of the handwritten signature without its biometrical data. The signed original document, which includes the biometrical data to enable a forensic analysis of its contained signatures, is stored in a centralized and secured archive.

How is the communication between the client and the server secured?

When the solution transmits its data in a client-server environment, it must traverse the company network or in some cases (e.g. mobile) the mobile device's carrier network and the internet. Thus agents might exploit vulnerabilities to intercept sensitive data while it is traveling across the wire. We recommend the use of SSL/https for all client-server communication. The configuration of the SSL certificate is done directly on the IIS server used by the SIGNificant Server. The system administrator is responsible for that task. Several additional security mechanisms (such as reverse proxy, basic/Windows authentication, web single sign-on, etc.) can be used together with the SIGNificant Server Platform.

Is a signature still useful?

Quote from a BBC news report: The signature may have more life in it than some techno-enthusiasts might imagine. If it survives, it won't be because it's safer or more efficient, but because people develop an emotional attachment to their own one. "It's not like a Pin," Mike Allen, a forensic document analyst with 30 years experience. "It's someone making their mark and saying 'I agree with this.' It's not about being safer - the value of it is that it's you." More than that, it's also uniquely and entirely yours.

How does SIGNificant for biometrically signed PDF documents comply to EU Regulation 910/2014 on electronic identification and trust services for electronic transactions?

Please see the document EU Regulation 910/2014 on electronic identification and trust services for electronic transactions.

How SIGNificant complies with eIDAS?

The Regulation (EU) N°910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation) is a milestone to provide a predictable regulatory environment to enable secure and seamless electronic interactions between businesses, citizens and public authorities. In this regard, the eIDAS Regulation ensures that people and businesses can use their own national electronic identification schemes (eIDs) to access public services in other EU countries where eIDs are available. creates an European internal market for eTS - namely electronic signatures, electronic seals, time stamp, electronic delivery service and website authentication - by ensuring that they will work across borders and have the same legal status as traditional paper based processes. Only by providing certainty on the legal validity of all these services, businesses and citizens will use the digital interactions as their natural way of interaction. 

With eIDAS, the EU has managed to lay down the right foundations and a predictable legal framework for people, companies (in particular SMEs) and public administrations to safely access to services and do transactions online and across border in just "one click". Indeed, rolling out eIDAS means higher security and more convenience for any online activity such submitting tax declarations, enrolling in a foreign university, remotely opening a bank account, setting up a business in another Member State, authenticating for internet payments, bidding to on line call for tender, etc. As a regulation eIDAS will enter in force directly, without the need of a national legislation. The regulation will automatically replace any inconsistent national laws in Europe. The framework is based on the Member States’ reciprocal obligation to recognise trust services if those services are based on a qualified certificate issued in one Member State. 

The opportunities lie in the leveraging of electronic trust services as a key enabler of the e-signature market by making electronic transactions more secure, convenient, and trustworthy. European businesses will be able to contract online (e.g. both “onboarding” new customers, as well as offering new products to existing clients). One of the major benefits of eIDAS is that qualified digital signatures can now be generated using server-side signatures (where the signer's key is held securely on a trusted server), which are far more efficient and cost-effective than the smartcard-based systems in use today. 

The power of SIGNificants's flexible and open architecture is that it can incorporate multiple external e-Identity Providers (IdPs). 

  • Server-side signing: the user’s keys are held securely inside a Hardware Security Module (HSM) or cloud-based service attached to the SIGNificant Server. 
  • Local signing: the user’s keys are held on a smartcards or USB tokens 

Furthermore server-side qualified signatures can be combined with capturing forensically identifiable signatures on signature pads or mobile devices. SIGNificant records the handwritten signature of a person by parameters of pressure, acceleration, speed, and rhythm. These parameters are unique to every individual and cannot be easily reproduced by a forger. Once a signature, including all the biometric parameters, has been embedded into a document, it is turned into a signed and sealed PDF. Based on the embedded signature the identity of the signer can be proved anytime via a forensic expert like today on paper.

Want to start your digital transformation? Let's talk.

If you would like to know more about any aspect of Enterprise Document Infrastructure management, from e-signatures to the single integrated system needed for all enterprise document creation & output needs, contact us.